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(54) Key management methods for wireless lans 

(57) The security keys in the mobile terminals and 
access points of a wireless local area network (WLAN) 
are created, utilized and managed for a communication 
session between a mobile terminal and access point. 
Both the WLAN link level security protection and IP se- 
curity functions of the network use the same Internet 



Key Exchange (IKE) key management protocol and use 
certificates in the same certificate hierarchy. When the 
mobile terminals associates with the network, it uses the 
IKE protocol with private keys and certificates to gener- 
ate WLAN link level keys with the access point and pro- 
vide mutual authentication. 
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Description 

BACKGROUND 

Field of the Invention 

[0001] This invention relates generally to methods 
and systems for providing data communications through 
a network. A particular aspect of the invention relates to 
key management methods for wireless local area net- 
works. 

Description of the Related Art 

[0002] In general, Wireless Local Area Networks 
(WLAN) are similar to conventional wired Ethernet Local 
Area Networks (LANs) in many respects. The primary 
distinction, of course, is that communications and ac- 
cess to the network for mobile terminals in a WLAN does 
not require a physical connection. Indeed, several Mo- 
bile Terminals (MTs) may access the network over the 
same frequency and air space. 
[0003] There are two different WLAN types. An ad- 
hoc WLAN is a simple network where communications 
are established between multiple mobile terminals with- 
out the use of an access point or server. The other 
WLAN type, client-server networks, have a basic archi- 
tecture as generally illustrated in Fig. 1 . An Access Point 
(AP) serves as a base station to control and coordinate 
the transmission states of the various mobile terminals 
within a Basic Service Set (BSS). The access point usu- 
ally supervises them when they roam from cell to cell. 
The access points also provide the mobile terminals with 
access to the WLAN and handle data traffic between to 
the wired orwireiss backbone (BB). 
[0004] The access points also route and control the 
flow of traffic between mobile terminals in the WLAN and 
other networks. Just as in wired networks, an internet- 
working unit (IWU) uses protocol manipulation to con- 
nect the WLAN to a network with a different protocol. 
Some internetworking units are relatively common, such 
as IP routers which are used to connect LANs to the 
Internet via an Internet Service Provider (ISP). 
[0005] The layer stack for a typical WLAN - 1 P Router 
- Internet connection is as shown in Fig. 2. As in any 
network, the bottom physical layer (PHY) defines the 
modulation and signaling characteristics for the trans- 
mission of data. In a WLAN, the physical layer defines 
such characteristics as transmission frequency, band- 
width and data rates, power output limits and spread 
spectrum techniques. Much as in an Ethernet network, 
the primary function of the next to bottom Media Access 
Control (MAC) layer is to prevent collisions between mo- 
bile terminals attempting to transmit data at the same 
time. An additional function of the MAC layer in a WLAN 
is power management and battery operation of the mo- 
bile terminals. 

[0006] A relatively large number number of different 



WLAN products are currently available. Unfortunately, 
these products are developed by different manufactur- 
ers and are generally incompatible with each other. The 
Institute for Electrical and Electronic Engineers (IEEE) 
5 has recently completed development of its 802.11 
WLAN standard which defines physical layer options for 
transferring data frames at 2.4 Ghz and sets forth MAC 
layer protocols. The 802.11 standard also includes cer- 
tain network management services, registration and au- 
thentication services. Another emerging WLAN stand- 
ard is the High Performance Radio Local Area Network 
(HIPERLAN2) for broadband data transmission at 
5GHz. 

[0007] Regardless of the physical layer and MAC lay- 
er specifications, data transmission security is an es- 
sential part of WLAN development. Since there are no 
physical connections required and the mobile terminals 
use a wireless link to access the WLAN via an access 
point, additional security features are used to protect 
transmitted data and network elements. These features 
include data and signaling encryption at the MAC layer, 
authentication of the mobile terminal when it connects 
to the network, and the authentication of each data 
packet to assure that the packet was sent by the claimed 
mobile terminal. The mobile terminal can also authenti- 
cate the network (that is, the access point) and the re- 
ceived packets. 

[0008] Some security provisions are included as an 
optional part of the IEEE 802.11 WLAN standards. In 
particular, data security on the wireless link level can be 
accomplished by a complex encryption technique 
known as Wired Equivalent Privacy (WEP). WEP pro- 
tects the data transmitted over the shared frequency 
and air space using a 64-bit seed key and the RC4 en- 
cryption algorithm. A pseudo-random number generator 
is initialized by a shared secret key and outputs a key 
sequence of pseudo-random bits equal in length to the 
largest possible packet which is combined with the out- 
going/incoming packet producing the packet transmit- 
ted in the air. 

[0009] When enabled, WEP only protects the data 
packet information from being captured by other mobile 
terminals (or similar equipment) for eavesdropping or 
other purposes and does not protect the physical layer 
header. Although the other mobile terminals on the net- 
work can not decrypt the data portions of the packet, they 
can listen to the control data needed to manage the net- 
work. WEP also does not prevent unauthorized access 
to the network. 

[0010] Similar to wired LANs, most WLANs require a 
mobile terminal registering itself with the network, such 
as through an access point, to authenticate itself as an 
authorized user by providing a password. As another 
measure of security, a WLAN may additionally or alter- 
natively require a mobile terminal to use a current ci- 
phering "key" before obtaining access to the network. 
[0011] Currently available WLAN products typically 
use symmetric pre-distributed keys. In other words, the 
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mobile terminal's ciphering key is stored in the mobile 
terminal itself and is distributed to all of the access 
points by the network manager. These products have 
the drawback that it is unpractical to change the key fre- 
quently. Usually the key is created by the network man- 
ager when the mobile terminal is used for the first time, 
and is never changed after that. It also becomes difficult 
to manage the keys when the wireless network grows 
to be large in size. 

BRIEF SUMMARY 

[0012] According to an aspect of the invention there 
is provided a method of managing security keys in a 
wireless local area network having a mobile terminal, an 
access point and a server, the method comprising the 
steps of: 

obtaining first and second certificates from a certif- 
icate authority; 

associating the mobile terminal with the access 
point; 

using a certificate authority certificate, first certifi- 
cate and private key with Internet Key Exchange 
(IKE) to generate a a WLAN link level key and mu- 
tually authenticating the mobile terminal and the ac- 
cess point using the IKE; and 
using a certificate authority certificate, second cer- 
tificate and private key with Internet Key Exchange 
(IKE) to generate IPsec authentication, encryption 
and decryption keys for data packets transferred 
between the mobile terminal and the server. 

[0013] An exemplary embodiment of the present in- 
vention is directed to methods of creating, utilizing and 
managing security keys for communication sessions be- 
tween a mobile terminal and an access point in a wire- 
less local area network. It addresses and solves the dis- 
advantages of wireless networks discussed above. In 
particular, it addresses the need for efficient key man- 
agement to accompany the link level security functions 
of currently available WLANs in order to prevent unau- 
thorized access to the network. 
[0014] In the exemplary embodiment, session keys 
are created for each communication session between a 
mobile terminal and one of the access points of the net- 
work ratherthan being pre-defined and stored in the mo- 
bile terminal. The exemplary embodiment thus solves 
at least one drawback discussed above insofar as no 
network maintenance is required when new mobile ter- 
minals or access points are added to the wireless net- 
work and no potential breach of security may occur re- 
lated to such need for maintenance. The exemplary em- 
bodiment of the invention achieves much better security 
than conventional wireless networks by using new keys 
for every communication session. 
[001 5] Other important aspects taken into considera- 
tion by embodiments of the invention are data confiden- 



tiality, data authenticity, and service availability. For ex- 
ample, one preferred embodiment of the invention in- 
corporates a widely used key management method in 
the network in order to allow continual service when 
5 roaming. The use of a standard public key protocol al- 
lows roaming to other networks. Thus, even global 
roaming is possible with a global key management 
method and a global certificate hierarchy. 
[0016] In another exemplary embodiment of the in- 
to vention, the IP (end-to-end) security functions and link 
level security protection are closely integrated. Both en- 
cryption and authentication are applied at the IPsec lev- 
el in order to avoid using WEP. If all of the payload data 
traffic of the mobile terminal receives the protection of 
is the IP security functions according to this exemplary 
embodiment, then WLAN link level encryption for the 
payload data traffic becomes unnecessary. 
[0017] In another example embodiment of the inven- 
tion, the IP security functions are used to authenticate 
20 MAC level message elements. Such use of standard 
protocols and interfaces available in the IP security func- 
tions reduces the work associated with the updating of 
the WLAN security functions. 



[0018] The foregoing and a better understanding of 
the present invention will become apparent from the fol- 
lowing detailed description of example embodiments 

30 and the claims when read in connection with the accom- 
panying drawings, all forming a part of the disclosure of 
the invention. While the foregoing and following written 
and illustrated disclosure focuses on disclosing exam- 
ple embodiments of the invention, it should be clearly 

35 understood that the same is by way of illustration and 
example only and is not to be taken by way of limitation, 
the scope of protection of the present invention being 
limited only by the terms of the claims in the patent is- 
suing from this application. 

*o [0019] Fig. 1 is a block diagram showing the architec- 
ture of a wireless local area network. 
[0020] Fig. 2 shows the layer stack for atypical WLAN 
- IP Router - Internet connection, such as may be used 
in the network shown in Fig. 1 . 

45 [0021] Fig. 3 is a flow diagram illustrating the combi- 
nation of IP end-to-end security functions and WLAN 
link level security in a first exemplary embodiment of the 
invention. 

[0022] Fig. 4 is a flow diagram illustrating the use of 
so uplink IP packet authentication in an access point with- 
out link level encryption in a second exemplary embod- 
iment of the invention. 

[0023] Fig. 5 is a generalized block diagram showing 
an IP authenticated message as part of a WLAN MAC- 
55 level message. 



25 BRIEF DESCRIPTION OF THE DRAWINGS 



3 



5 



EP 1 178 644 A2 



6 



DETAILED DESCRIPTION 

[0024] The exemplary embodiments of the present in- 
vention described herein are directed to specific meth- 
ods of creating, utilizing and managing security keys for 5 
communication sessions between a mobile terminal and 
an access point in a wireless local area network. The 
invention of course is not limited to such specific em- 
bodiments. It is more broadly directed to a diverse range 
of key management methods and systems for wireless 
networks. For example, although the exemplary embod- 
iments of the invention are described with reference to 
the IEEE 802.11 WLAN standards, alternative embodi- 
ments could be directed to HI PERLAN2 radio local area 
networks. 

[0025] The exemplary embodiments described here- 
after with reference to Figs. 3-5 efficiently manage se- 
curity keys in the mobile terminals and the access points 
of a wireless network by integrating the key manage- 
ment of the IP security functions and link level security 
protections. The main aspect of the embodiments is that 
both the WLAN link level security protection and IP se- 
curity use the same key management protocol and the 
same certificate hierarchy (i.e., both have the same root 
Certificate Authority). 

[0026] In particular, the example embodiments com- 
bine the use of the IKE (Internet Key Exchange) key 
management protocol and the linking of the WLAN and 
IP layer keys. IKE is described at length in RFC 2409 
by D. Harkins et al, entitled The Internet Key Exchange" 
and published by the Internet Engineering Task Force 
(IETF) in November 1998, and is hereby incorporated 
by reference. IKE is now a commonly used key man- 
agement protocol, and using it for the link level key man- 
agement is beneficial. 

[0027] As discussed above, additional security fea- 
tures, such as encryption and authentication, can be in- 
cluded in the WLAN link level. I n the I EE E 802. 1 1 WLAN 
standard, these features can be implemented through 
the encryption utilized in WEP. The elimination of a sep- 
arate (perhaps proprietary) WLAN link level key man- 
agement protocol makes the mobile terminals and ac- 
cess points simpler and easier to maintain. 
[0028] Fig. 3 shows a specific example of how the IKE 
and the associated certificate hierarchy can be used 
both for IP level security and the WLAN link level secu- 
rity. As shown, the mobile terminal (MT) communicates 
with a server using IPsec authenticated and encrypted 
data packets. The IPsec protocol is described in detail 
in Request for Comments 2401 by S. Kent etal., entitled 
"Security Architecture forthe Internet Protocol 0 and pub- 
lished by the Internet Engineering Task Force in Novem- 
ber 1 998, and hereby incorporated by reference. It is an 
IP layer based security protocol for providing secure 
"end-to-end" communication of pay load data packets 
between two IP hosts, at the option of the hosts when 
they believe that additional security is necessary, by au- 
thenticating and/or encrypting the data packets trans- 



ferred between the hosts. 

[0029] Although the authentication and/or encryption 
mechanisms used in the example embodiment of Fig. 3 
do not differ from those described in the protocol, the 
data packets are instead always authenticated and en- 
crypted as part of the standard (secure) operation of the 
WLAN whenever they are transferred between a mobile 
terminal and access point over the shared frequency 
and air space and not only when the mobile terminal or 
access point choose secured communication. This 
transfer can, but need not, be done using the WEP. 
[0030] IPsec uses symmetric cryptography which re- 
quires same encryption or authentication keys at both 
ends. A scalable key management protocol, such as 
IKE, is used to generate the symmetric keys for the 
IPsec stack. The key exchange is based on public key 
cryptography and on certificates given by a trusted third 
party (usually called a Certificate Authority (CA)). The 
most common current use of the IPsec protocol is for 
building Virtual Private Networks (VPN) in IPv4. 
[0031] In the example embodiment of Fig. 3, the mo- 
bile terminal, access point and Server first receive re- 
spective certificates (step 1 ) from a Certificate Authority 
belonging to the same certificate hierarchy (only one CA 
is shown in Fig. 3 merely for the sake of convenience). 
[0032] The certificates can be stored in a certificate 
server, in an access point, in the mobile terminal itself 
or in a separate smart card which can be used with the 
mobile terminal. Optionally, an access point or mobile 
station can store each other's certificate in order to avoid 
the need to exchange them during each association 
process, thereby saving bandwidth and the delay intro- 
duced when the mobile terminal is turned on for trans- 
mission. Preferably, the certification authority certificate, 
own certificate and private key can be included in the 
access points and mobile terminals at the time of man- 
ufacture. In this case, there is no need to perform main- 
tenance or network set-up when an access point or mo- 
bile terminal is added to a network. Alternatively, the net- 
work manager assigns the certificates to the mobile ter- 
minal or access point. 

[0033] A mobile station is only able to transmit and 
receive data frames after association with an appropri- 
ate access point is completed. The association process 
comprises the transfer of information about the mobile 
station and its capabilltes to the network so that it can 
determine which one of several different access points 
will communicate with the mobile station. When the mo- 
bile terminal first associates with a respective access 
point in the network, it uses the IKE with private key and 
the certificates to generate the WLAN link level keys with 
that access point (step 2). Mutual authentication of both 
the mobile terminal and access point is achieved by this 
process. If end-to-end IPsec security is employed ac- 
cording to the exemplary embodiment of the invention, 
the mobile terminal uses the I KE to generate the authen- 
tication keys and ciphering keys (step 3) with the net- 
work server. When transmitting packets, the IPsec ker- 
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nel in the mobile terminal generates the Authentication 
Header (AH) and encrypts the packets. In the server, 
the packets are authenticated and decrypted (step 4). 
Link level session keys (e.g., with WEP) are used to en- 
crypt traffic over the shared frequency and air space 
(step 5). 

[0034] Although not shown in Fig. 3, an optional fea- 
ture of the embodiment is to make the WLAN security 
adapt to the standard key management interface of the 
IPsec kernel (i.e., the PF_KEY socket interface de- 
scribed in RFC 2367 by D. McDonald et al, entitled 
"PF_KEY Key Management API, Version 2" and pub- 
lished by the Internet Engineering Task Force (IETF) in 
July 1998, which is hereby incorporated by reference in 
its entirety). This prevents the need for any modifica- 
tions to the IKE protocol, thus allowing the use of any 
IKE implementation. If a standard IKE is used for WLAN- 
level key management, it is preferably extended so that 
it knows not to give the negotiated keys to the IPsec 
stack. However, the link level and IPsec security asso- 
ciations (SAs), negotiated by the IKE, can be stored in 
the same security association (SA) database so that the 
WLAN portion of the kernel stack can easily find them. 
[0035] The second example embodiment shown in 
Fig. 4 is a variant of the first embodiment shown in Fig. 
3. Many of the features of the second embodiment are 
thus the same as those in the first embodiment and the 
description thereof is not repeated merely for the sake 
of convenience. The second embodiment differs from 
the first embodiment at least insofar as the IPsec Au- 
thentication Header (AH) is used for the authentication 
of the (uplink) data packets sent from the mobile termi- 
nal to the access point. In particular, the mobile terminal 
indicates the IPsec authentication keys (i.e., the authen- 
tication security association) to the access point (step 
3a). Since payload packet authentication is needed in 
the access point for access control and charging, the 
packets are authenticated in the access point based on 
the IP end-to-end security authentication. In particular, 
the access point authenticates the payload data packets 
based on the IPsec Authentication Header (step 5). The 
need for additional WLAN link level authentication func- 
tions for the payload data traffic is thereby avoided. This 
method requires that the IPsec security protocol is used 
for all of the uplink traffic of the mobile terminal. Prefer- 
ably, either AH or ESP with its own authentication ex- 
tension is the outermost iPsec header in the transmitted 
packet (applied last by the sending end and first by the 
receiving end) so that the authentication header of the 
packet is not encrypted and unavailable to the access 
point. 

[0036] In the second embodiment of Fig. 4, the mobile 
terminals and the access points must authenticate all of 
the data packets sent for mutual authentication and ac- 
cess control purposes. The needed cryptographic func- 
tions may be implemented as part of the WLAN layer as 
shown in Fig. 3, but the required features exist already 
in the IPsec kernel. In some cases, it is possible that the 



utilization of these kernel IPsec features, sometimes re- 
ferred to as "packet circulation", for the sending and re- 
ceiving of authenticated WLAN link level message will 
be beneficial. In other cases, it will not be sensible be- 

5 cause of poor performance. Sometimes it may not even 
be possible because of missing operating system fea- 
tures. In those cases a better alternative is to implement 
the necessary authentication functions in the WLAN 
control process. 

10 [0037] In the third exemplary embodiment shown in 
Fig. 5, a WLAN control process in a mobile terminal 
sends an IPsec authenticated message to an access 
point as part of WLAN MAC- level message. The WLAN 
control process in the access point receives the mes- 

15 sage and authenticates it using its I Psec kernel . The fol- 
lowing phases are illustrated in Fig. 5: 

1) The control process in the mobile terminal pass- 
es a data packet to be authenticated to IPsec ker- 

20 nel. 

2) The IPsec kernel is adapted to build an Authen- 
tication Header (AH) packet and passes it back to 
the control process. The packets to receive this spe- 
cial handling may be determined on the basis of the 

25 port number reserved for the WLAN control proc- 
ess. 

3) The WLAN control process builds the MAC-level 
message and sends it to the access point. 

4) The MAC-level message containing the authen- 
30 tication data is received by the access poi nt th rough 

a network interface. 

5) The MAC-level message is passed to the control 
process of the access point by the network inter- 
face. 

35 6) The control process of the access point deter- 
mines that the MAC-level message contains IPsec 
authenticated data, and extracts the IPsec payload 
from the WLAN message. The extracted IPsec pay- 
load is sent through the network interface to the ker- 

40 net to be authenticated (port number is reserved for 
the WLAN value). 

7) The payload passes authentication process in 
the IPsec kernel and is passed back to the control 
process. The reception of the message confirms the 
45 authentication to the control process (the control 
process recognizes the packet from the reserved 
WLAN port number). 

[0038] Any of the embodiments described above can 
so be implemented to permit key management even when 
roaming. Indeed, global roaming can be accomplished 
utilizing the global certificate hierarchy created for the 
IPsec. Roaming is the process of a mobile terminal mov- 
ing from one access point in a WLAN to another without 
55 losing its connection with the network. A re-association 
process is typically performed at each new access point 
when roaming. Since mutual authentication is carried 
out between the mobile terminal and the access point 
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ferred from the mobile terminal utilizing the IPsec 
authentication and decryption keys. 

6. The method recited in claim 5, wherein the data 
5 packets are transferred from the mobile terminal to 

the access point using WLAN link level encryption 
in addition to the IPsec encryption. 

7. The method recited in claim 6, wherein the WLAn 
10 link level encryption comprises Wired Equivalent 

Pricay (WEP) encryption. 

8. The method recited in claim 1 , wherein the data 
packets are transferred from the mobile terminal to 

15 the access point without using WLAN link level en- 
cryption. 

9. The method recited in claim 8, wherein the mobile 
terminal forwards the IPsec authentication key to 

20 the access point. 



by the IKE at every association in the example embod- 
iment, the result can be used in a subsequent re-asso- 
ciation to authenticate the handover of a mobile terminal 
to a new access point when roaming. 
[0039] Global WLAN roaming will become possible as 
soon as the IPsec certificate hierarchy becomes globally 
available. 

[0040] While the foregoing has described what are 
considered to be example embodiments of the inven- 
tion, it is understood that various modifications may be 
made therein and that the invention may be implement- 
ed in various forms and embodiments, and that it may 
be applied in numerous applications, only some of which 
have been described herein. It is intended by the follow- 
ing claims to claim all such modifications and variations. 



Claims 

1. A method of managing security keys in a wireless 
local area network having a mobile terminal, an ac- 
cess point and a server, the method comprising the 
steps of: 

obtaining first and second certificates from a 
certificate authority; 

associating the mobile terminal with the access 
point; 

using a certificate authority certificate, first cer- 
tificate and private key with Internet Key Ex- 
change (IKE) to generate a a WLAN link level 
key and mutually authenticating the mobile ter- 
minal and the access point using the IKE; and 
using a certificate authority certificate, second 
certificate and private key with Internet Key Ex- 
change (IKE) to generate IPsec authentication, 
encryption and decryption keys for data pack- 
ets transferred between the mobile terminal 
and the server. 

2. The method recited in claim 1 , wherein the certifi- 
cate authority certificate, private key, and the first 
and second certificates are stored in the mobile ter- 
minal. 

3. The method recited in claim 2, wherein the certifi- 
cate authority certificate, private key, and the first 
and second certificates are stored in the mobile ter- 
minal at the time of manufacture of the mobile ter- 
minal. 

4. The method recited in claim 1 , wherein the mobile 
terminal generates an authentication header for 
transferred data packets utilizing the IPsec encryp- 
tion key. 

5. The method recited in claim 1 , wherein the server 
authenticates and decrypts data packets trans- 



10. The method recited in claim 9, wherein the access 
point authenticates data packets from the mobile 
terminal using the IPsec authentication key for- 

25 warded from the mobile terminal. 

11. The method recited in claim 1 , wherein the mobile 
terminal sends an IPsec authenticated message to 
an access point as part of a MAC-level message of 

30 the wireless local area network. 
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